Messages - 1.2 Definition - Authentication

Issue #844 resolved
Nat Sakimura
created an issue

The current definition of Authentication does not go well with some form of authentication such as risk based authentication or location based authentication, etc. Also, it is too deterministic. The previously provisioned credential may be stolen.

Currently, it is defined as: Authentication Act of verifying End-User's possession of previously provisioned credentials.

Proposal: Authentication provision of assurance of the claimed identity of an entity [SOURCE: ISO/IEC 18014-2]

Comments (9)

  1. Michael Jones

    A normal developer, when confronted with "provision of assurance of the claimed identity of an entity", will have no idea what it means.

    Over Skype, Nat and I came to this proposed definition instead:

    verifying that the End-User is authorized to log in with a particular digital identity, which may involve verification of the current or past possession of particular credentials or knowledge, or utilizing risk-based assessment techniques.

  2. Nat Sakimura reporter

    After a bit of thinking, I now believe that this definition is wrong in several respect. Authentication should not be linked to authorized to log in. “Log in” is equivalent to be granted access to a protected resource, which happens to be a user interface. So, this definition is conflating the authorization and authentication. Authentication, as defined in X.1254 and ISO 29115 is “provision of assurance in the identity of an entity”. This is quite accurate, but Mike says this is too abstract. Perhaps could we say this?

    Authentciation Process of verifying the accuracy of the Identity. Typically it involves the verification of the current or past possession of particular credentials including what the entity knows, possesses, has physical feature of, behaves, and combination of these utilizing heuristics.

  3. Michael Jones

    We've refined the definition some more:

    Process of verifying the right of an entity to use the identity. Typically it involves the verification of the current or past possession of particular credentials including what the entity knows, possesses, has physical feature of, behaves, and combination of these utilizing heuristics. The entity is often an End-User or a Client.

  4. Log in to comment